[Samba] Kerberos ticket lifetime

Rowland penny rpenny at samba.org
Thu Oct 1 10:57:13 UTC 2020

On 01/10/2020 11:22, Remy Zandwijk wrote:
>> On 1 Oct 2020, at 10:31, Rowland penny via samba 
>> <samba at lists.samba.org <mailto:samba at lists.samba.org>> wrote:
>> On 01/10/2020 00:23, Jason Keltz via samba wrote:
>>> Remy,
>>> On the domain controller (samba-ad-dc), I have in the config: 
>>> kdc:user ticket lifetime = 24
>> I do not recognise that smb.conf option, could this be another 
>> freebsd change that was never sent upstream or, if it was, it was 
>> rejected ?
> Uh, no?
> https://wiki.samba.org/index.php/Samba_KDC_Settings
> So the question is, is that info on the Wiki (still) valid and if so, 
> why isn't it documented in the smb.conf man page?

Well, you learn something new everyday :-)

A quick search in 'man smb.conf' on 'kdc', turns this up:

gpo update command (G)

This option sets the command that is called to apply GPO policies.
The samba−gpupdate script applies System Access and Kerberos Policies to 
the KDC.
System Access policies set minPwdAge, maxPwdAge, minPwdLength, and 
pwdProperties in the samdb.
Kerberos Policies set kdc:service ticket lifetime, kdc:user ticket 
lifetime, and kdc:renewal lifetime in smb.conf.

Apart from the wiki page (which dates back to 2014), that is it.

Let me look into this further.


More information about the samba mailing list